On Tue, Feb 24, 2004 at 10:27:58AM -0500, John Baldwin wrote: > > Armoring nologin(8) is insufficient. Yes. > > In particular, as David Schultz pointed out, there are a lot > > of home-grown nologin scripts out there that are potentially > > vulnerable regardless of what we do with the "official" > > nologin program. > > Then do both. :) People please be aware that it is not nologin problem at all, so please not touch nologin in this direction. F.e. any 3rd party shell from ports or any home-grown admin shells/scripts _generally_ suffer of this problem. It means that login, telnetd, su etc. whatever log in and call shell should be fixed to never pas LD_* variables to the shell. Don't pick one particular shell (nologin) and think you are secure. -- Andrey Chernov | http://ache.pp.ru/Received on Tue Feb 24 2004 - 15:17:48 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC